Risk management is one of the most commonly used terms in Information Security. Many security professionals describe the most critical aspect of their job as 'risk management' or 'risk assessment;' however, it is a broad term. Many frameworks and codes of practice define it as, 'the control of adverse events to an acceptable level of loss exposure.' Risk management is an organization’s best effort to prevent unauthorized parties from accessing valuable assets and resources; it is a crucial process within project management to identify such potential risks.

While the definition and scope of are wide-ranging, effective risk management is a product of taking a particular set of measures. Without tailoring risk management efforts to meet our precise needs, we are left with generic 'best practices' that may or may not be effective in a given scenario. These nonspecific practices are what lead to the gaps between risk management theory and risk management practice. Below, we have briefly described three common risk management gaps that are found within risk management standards.

Gap: Incomplete Risk Management

An alarmingly low number of security professionals consider asset management, or asset inventory, to be an essential security process. Many even rank it as the least essential control within their risk management plan. Not surprisingly, a majority of security professionals report having low confidence in their inventory. We cannot protect our assets if we do not know what they are. An organization’s risk management processes will undoubtedly be lacking if they are without this vital information.

Gap: Biased Risk Appraisal

Prevalent articles with over-zealous headlines often magnify the amount of risk posed by 'Advanced Persistent Threat' (APTs). APTs were ranked as the top threat by security professionals - one of the most vital risks identified. Most industries, however, are not even targeted by APTs. The most significant risks to almost all organizations are considered commonplace in the Information Security industry: web application attacks and credential theft. Though these risks are not nearly as sophisticated as APTs, they must be adequately guarded against to prevent them from occurring; they are a vital piece of a risk avoidance management strategy.

Gap: Misaligned Risk Mitigation

Due to factors such as the biased risk appraisal noted above, some cybersecurity professionals’ processes do not align with what is occurring. An overwhelming majority of security professionals consider traditional firewalls and anti-virus software to be the most critical technical controls to handle enterprise risk management. While undoubtedly necessary, these controls do not adequately protect against web application attacks. Additionally, DDoS was ranked as the second most significant security threat (behind APTs), but very few organizations utilize anti-DDoS defenses. It is crucial to not only correctly identify the risks, but to take the right steps then to prevent them.